Establishing controls and assurance in the cloud
May 7, 2012
Cloud computing is rapidly emerging as the next big IT service for its pay-as-you-go model and is a key enabler for all enterprises, but especially for small and medium enterprises as it makes available computing power on demand as a utility by drastically reducing investment in IT infrastructure. The growing shift to cloud computing can deliver significant value—but most enterprises have little knowledge of the perils of transferring IT decision making away from technology specialists to business unit leaders.
Eliminating oversight and governance from cloud computing decisions can create significant risk to organisations, effectively undermining any benefits of moving to the cloud and, at the same time, potentially creating serious issues for organisations. Before jumping into the bandwagon of the cloudy way, it is important to adapt examine how to use the cloud to create value for the enterprise…
Enterprises that are considering the use of the cloud in their environment should calculate what cost savings the cloud can offer them and what additional risks are incurred. Once potential cost savings and risks are identified, enterprises will have a better understanding of how they can leverage cloud services. Business must work with legal, security and assurance professionals to ensure that the appropriate levels of security and privacy are achieved.
While cloud computing is certainly poised to deliver many benefits, business leaders need to involve information security and assurance professionals to conduct business impact analyses and risk assessments so as to evaluate the potential risks to their enterprise. The risk management activities have to be managed throughout the information life cycle and risks are reassessed regularly or in the event of a change. The need for implementing controls and obtaining assurance becomes much more critical in a cloud environment. Hence, it is important for management to be aware of the controls and countermeasures to be used in the cloud. The business process owners need to ensure that right level of control objectives are implemented by the cloud service provider.
Based on research which has confirmed the increasing importance and growth of cloud computing and the need for guidance, ISACA, a global non-profit IT association has brought out publications addressing how governance, security and control could be implemented for cloud computing environment. ISACA has a dedicated section on its website
The cloud is a major change in how computing resources will be utilized, and as such will be a major governance initiative within adopting organizations, requiring involvement of a broad set of stakeholders. When enterprises decide to utilize cloud services for some or all IT services, business processes are impacted, which makes governance more critical than ever.
Building on more than 15 years of practice in the business, IT, risk, security and assurance communities, ISACA’s recently released COBIT 5 provides the next generation of guidance on a critical business issue—the governance and management of enterprise IT. COBIT 5 is a fully customizable framework relevant to enterprises of all sizes, in all industries and in any country.
COBIT 5 framework is built on five fundamental principles: meeting stakeholder needs, covering the enterprise end-to-end, applying a single, integrated framework, enabling a holistic approach and separating governance from management. COBIT 5 best practices can be adapted for cloud implementation to provide a holistic and comprehensive approach which integrates the needs of business, management, IT security, assurance and compliance.